Code-Projects Online Application System for Admission Sensitive Information Disclosure Vulnerability

A sensitive information disclosure vulnerability has been identified in Code-Projects Online Application System for Admission version 1.0. The issue arises from an exposed SQL database backup file, 'oas.sql', which is stored in a publicly accessible directory within the web root. The web server does not restrict access to .sql files, allowing remote users to download the database dump without authentication. This vulnerability exposes the complete database structure and application data, including user records, credentials, and personal information, to unauthorized users.

Impact

Exploitation of this vulnerability allows unauthorized access to sensitive database information, including user credentials, application data, and database schema. This could lead to unauthorized administrative access, account compromises, and further exploitation of the application or its database.

Reproduction

To reproduce this vulnerability, upload the application to a web server and navigate to the 'enrollment/database/oas.sql' file. The SQL file can be downloaded directly without authentication, exposing sensitive database content such as administrator and user credentials.

Remediation

It is recommended to remove SQL files from the web root and store database backups in secure locations not accessible via HTTP. Access to backup files should be limited to authorized administrators only.